Annotation of src/usr.bin/ssh/auth-options.c, Revision 1.8
1.3 deraadt 1: /*
2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
3: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: * All rights reserved
5: * As far as I am concerned, the code I have written for this software
6: * can be used freely for any purpose. Any derived versions of this
7: * software must be clearly marked as such, and if the derived work is
8: * incompatible with the protocol description in the RFC file, it must be
9: * called by a name other than "ssh" or "Secure Shell".
10: */
11:
1.1 markus 12: #include "includes.h"
1.8 ! markus 13: RCSID("$OpenBSD: auth-options.c,v 1.7 2000/12/19 23:17:54 markus Exp $");
1.1 markus 14:
15: #include "ssh.h"
16: #include "packet.h"
17: #include "xmalloc.h"
18: #include "match.h"
19:
20: /* Flags set authorized_keys flags */
21: int no_port_forwarding_flag = 0;
22: int no_agent_forwarding_flag = 0;
23: int no_x11_forwarding_flag = 0;
24: int no_pty_flag = 0;
25:
26: /* "command=" option. */
27: char *forced_command = NULL;
28:
29: /* "environment=" options. */
30: struct envstring *custom_environment = NULL;
31:
1.5 markus 32: void
33: auth_clear_options(void)
34: {
35: no_agent_forwarding_flag = 0;
36: no_port_forwarding_flag = 0;
37: no_pty_flag = 0;
38: no_x11_forwarding_flag = 0;
39: while (custom_environment) {
40: struct envstring *ce = custom_environment;
41: custom_environment = ce->next;
42: xfree(ce->s);
43: xfree(ce);
44: }
45: if (forced_command) {
46: xfree(forced_command);
47: forced_command = NULL;
48: }
49: }
50:
1.1 markus 51: /* return 1 if access is granted, 0 if not. side effect: sets key option flags */
52: int
1.7 markus 53: auth_parse_options(struct passwd *pw, char *options, u_long linenum)
1.1 markus 54: {
55: const char *cp;
56: if (!options)
57: return 1;
1.5 markus 58:
59: /* reset options */
60: auth_clear_options();
61:
1.1 markus 62: while (*options && *options != ' ' && *options != '\t') {
63: cp = "no-port-forwarding";
1.6 markus 64: if (strncasecmp(options, cp, strlen(cp)) == 0) {
1.1 markus 65: packet_send_debug("Port forwarding disabled.");
66: no_port_forwarding_flag = 1;
67: options += strlen(cp);
68: goto next_option;
69: }
70: cp = "no-agent-forwarding";
1.6 markus 71: if (strncasecmp(options, cp, strlen(cp)) == 0) {
1.1 markus 72: packet_send_debug("Agent forwarding disabled.");
73: no_agent_forwarding_flag = 1;
74: options += strlen(cp);
75: goto next_option;
76: }
77: cp = "no-X11-forwarding";
1.6 markus 78: if (strncasecmp(options, cp, strlen(cp)) == 0) {
1.1 markus 79: packet_send_debug("X11 forwarding disabled.");
80: no_x11_forwarding_flag = 1;
81: options += strlen(cp);
82: goto next_option;
83: }
84: cp = "no-pty";
1.6 markus 85: if (strncasecmp(options, cp, strlen(cp)) == 0) {
1.1 markus 86: packet_send_debug("Pty allocation disabled.");
87: no_pty_flag = 1;
88: options += strlen(cp);
89: goto next_option;
90: }
91: cp = "command=\"";
1.6 markus 92: if (strncasecmp(options, cp, strlen(cp)) == 0) {
1.1 markus 93: int i;
94: options += strlen(cp);
95: forced_command = xmalloc(strlen(options) + 1);
96: i = 0;
97: while (*options) {
98: if (*options == '"')
99: break;
100: if (*options == '\\' && options[1] == '"') {
101: options += 2;
102: forced_command[i++] = '"';
103: continue;
104: }
105: forced_command[i++] = *options++;
106: }
107: if (!*options) {
108: debug("%.100s, line %lu: missing end quote",
1.5 markus 109: SSH_USER_PERMITTED_KEYS, linenum);
1.1 markus 110: packet_send_debug("%.100s, line %lu: missing end quote",
1.5 markus 111: SSH_USER_PERMITTED_KEYS, linenum);
1.1 markus 112: continue;
113: }
114: forced_command[i] = 0;
115: packet_send_debug("Forced command: %.900s", forced_command);
116: options++;
117: goto next_option;
118: }
119: cp = "environment=\"";
1.6 markus 120: if (strncasecmp(options, cp, strlen(cp)) == 0) {
1.1 markus 121: int i;
122: char *s;
123: struct envstring *new_envstring;
124: options += strlen(cp);
125: s = xmalloc(strlen(options) + 1);
126: i = 0;
127: while (*options) {
128: if (*options == '"')
129: break;
130: if (*options == '\\' && options[1] == '"') {
131: options += 2;
132: s[i++] = '"';
133: continue;
134: }
135: s[i++] = *options++;
136: }
137: if (!*options) {
138: debug("%.100s, line %lu: missing end quote",
1.5 markus 139: SSH_USER_PERMITTED_KEYS, linenum);
1.1 markus 140: packet_send_debug("%.100s, line %lu: missing end quote",
1.5 markus 141: SSH_USER_PERMITTED_KEYS, linenum);
1.1 markus 142: continue;
143: }
144: s[i] = 0;
145: packet_send_debug("Adding to environment: %.900s", s);
146: debug("Adding to environment: %.900s", s);
147: options++;
148: new_envstring = xmalloc(sizeof(struct envstring));
149: new_envstring->s = s;
150: new_envstring->next = custom_environment;
151: custom_environment = new_envstring;
152: goto next_option;
153: }
154: cp = "from=\"";
1.6 markus 155: if (strncasecmp(options, cp, strlen(cp)) == 0) {
1.1 markus 156: int mname, mip;
157: char *patterns = xmalloc(strlen(options) + 1);
158: int i;
159: options += strlen(cp);
160: i = 0;
161: while (*options) {
162: if (*options == '"')
163: break;
164: if (*options == '\\' && options[1] == '"') {
165: options += 2;
166: patterns[i++] = '"';
167: continue;
168: }
169: patterns[i++] = *options++;
170: }
171: if (!*options) {
172: debug("%.100s, line %lu: missing end quote",
173: SSH_USER_PERMITTED_KEYS, linenum);
174: packet_send_debug("%.100s, line %lu: missing end quote",
175: SSH_USER_PERMITTED_KEYS, linenum);
176: continue;
177: }
178: patterns[i] = 0;
179: options++;
180: /*
181: * Deny access if we get a negative
182: * match for the hostname or the ip
183: * or if we get not match at all
184: */
185: mname = match_hostname(get_canonical_hostname(),
186: patterns, strlen(patterns));
187: mip = match_hostname(get_remote_ipaddr(),
188: patterns, strlen(patterns));
189: xfree(patterns);
190: if (mname == -1 || mip == -1 ||
191: (mname != 1 && mip != 1)) {
192: log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
193: pw->pw_name, get_canonical_hostname(),
194: get_remote_ipaddr());
195: packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
196: get_canonical_hostname());
197: /* deny access */
198: return 0;
199: }
200: /* Host name matches. */
201: goto next_option;
202: }
203: next_option:
204: /*
205: * Skip the comma, and move to the next option
206: * (or break out if there are no more).
207: */
208: if (!*options)
209: fatal("Bugs in auth-options.c option processing.");
210: if (*options == ' ' || *options == '\t')
211: break; /* End of options. */
212: if (*options != ',')
213: goto bad_option;
214: options++;
215: /* Process the next option. */
216: }
217: /* grant access */
218: return 1;
219:
220: bad_option:
221: log("Bad options in %.100s file, line %lu: %.50s",
222: SSH_USER_PERMITTED_KEYS, linenum, options);
223: packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
224: SSH_USER_PERMITTED_KEYS, linenum, options);
225: /* deny access */
226: return 0;
227: }